Security solutions provider FireEye has said that Russia and Iran are looking to conduct disruptive cyber-attacks on OT [operational technology] targets in the Middle East in a bid to disrupt industrial production. OT consists of machinery equipment, assets monitoring systems and industrial control systems.
Alister Shepherd, Director for Middle East and Africa at Mandiant, a unit of FireEye, told TechRadar Middle East that Russia is going to use the Trisis malware that targets safety systems at industrial plants. That malware triggered a brief blackout in Ukraine’s power systems in 2015 and 2016 and disrupted Saudi Arabia’s petrochemical plant and forced it to shut down in 2017.
Trisis is the third-known notorious malware focused on disrupting physical equipment. The first was Stuxnet, known to have developed by the US and Israel to sabotage Iran’s nuclear ambitions while the second one was the Iranian malware known as Shamoon 1, in 2012, which reportedly destroyed thousands of computers at Saudi Aramco and Qatar’s RasGas. Shamoon 2 made similar attacks in 2016 and 2017 while Shamoon 3 made a new wave of attacks against targets in the Middle East oil and gas plants in December 2018.
“In the first quarter of this year, we saw large volumes of Iranian state-sponsored attacks targeting clients and victims in the region, including Saudi Arabia, UAE, Bahrain, Lebanon and Kuwait, and combined with lower volumes of other financially-motivated APT groups,” Shepherd said.
He added that Iran would definitely intent on responding to increase in sanctions of the six-month oil waiver, which came into effect on May 2, 2019.
The US introduced sanctions on Iran in November 2018 but gave a waiver to eight nations – India, China, Turkey, Greece, Italy, Japan, Taiwan and South Korea.
The US has already exited the Joint Comprehensive Plan of Action (JCPOA), also known as ‘Iran nuclear deal’, created in 2015.
“So far, we have seen limited capability from Iran to take disruptive actions against the US despite the increase in sophistication and volume of attacks while security and maturity in the region are lower,” he said.
Moreover, he said that Iran targets Saudi Arabia and regional oil and gas industries but it [Iran] is finding it difficult to have the same impact it did in 2012 and 2013.
State-sponsored or advanced persistent threat (APT) groups such as APT33, APT34, APT35 and APT39 are from Iran and their victims span every sector and extended well beyond regional conflicts in the Middle East.
The old and the new players
The countries which are believed to have the most developed cyber warfare capabilities are the US, China, Russia, Iran and North Korea but Shepherd said that Israel, Pakistan and Turkey are becoming active this year, apart from prolific financial threat groups such as FIN6 and FIN7.
In the US, FIN7 hacking group has stolen over 15 million credit numbers from more than 3,600 locations and have stolen more than $1 billion from companies around the world.
“We are going to see nation-states continue to develop their offensive capabilities and some of those to be deployed aggressively in IT and OT systems,” Shepherd said.
He said that when Iranian malware is not carrying out attacks against their targets, they are conducting espionage and stealing data.
Moreover, he said that Russia will continue to conduct operations via social media on fake news, as it did with the US elections, and through more covert operations such as hacking and tactically leaking data in ways that may sow discord, including the Middle East.